Main Vulnerability Database Vulnerabilities #VU54286

#VU54286 Code injection in Dovecot - CVE-2021-33515

Published: June 21, 2021

Vulnerability identifier: #VU54286

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-33515

CWE-ID: CWE-74

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Dovecot

Software vendor:
Dovecot

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists in the way STARTTLS command in processed by the SMTP server. the commands sent during the session before the STARTTLS command are queued and executed later, after the STARTTLS finished with the client. As a result, a remote attacker can perform a MitM attack and gain access to victim's emails.

Remediation

Install updates from vendor's website.

External links

https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html

#VU54286 Code injection in Dovecot - CVE-2021-33515

Description

Remediation

External links

Please verify you're human